using rips Userinput reaches sensitive sink. << error I am getting with rips. 96: mysql_query $food = mysql_query($query_foodall, $foodsend) or die (mysql_error()); 95: $query_foodall = sprintf("SELECT * FROM food WHERE id = %s", getsqlvaluestring ($colname_foods, "int")); 92: $colname_foods = $_GET['id']; // if(isset(mysql_real_escape_string($_GET))), Code (markup): I have tried to place mysql_real_escape_string( ) in a few places but no such luck.. I am not sure what I am doing incorrectly. Any pointers would greatly be appreciated.
You have to sanitize the query BEFORE you execute it with mysql_query(). Besides that, you might want to take a look at PDO instead, as the mysql_* library is deprecated.
I have seen so many wrong ways of performing a query with the mysql_ api, (which you shouldn't be using in the first place) but you take the cookie. That simply, means you are doing many things wrong, and nice_swd point out, you shouldn't use anything that starts with mysql_ as all functions are deprecated, and will make your website very easily, open to mysql injection attack. Now, for the moment, if you want to just go ahead with your current code, then use: $colname_foods = (($_GET['id'] && !empty($_GET['id'])) ? mysql_real_escape_string($_GET['id']) : null; $query = "SELECT * FROM food WHERE id = '$colname_foods' "; $result = mysql_query($query) or die(mysql_error()); while($row == mysql_fetch_array($result)){ print_r($row); //do anything with this data } Code (markup):
Well, if you find PDO to much to handle at this moment, you should look at this one. https://github.com/simon-eQ/PdoNoodle Although the script is far from being what I like it to be, it should give you some quick solution to simple queries, and is definitely, more secure code than yours
yea like I said before the code is not my choice. Its what I have to work with. Thank you for the link. I have built items in pdo and seems pretty good so far. I am trying to learn mysqli more..